A US House subcommittee investigating cybersecurity vulnerabilities at the US Department of Homeland Security (DHS) has blasted the agency's CIO for his alleged lack of leadership on key security issues. Subcommittee members also questioned DHS CIO Scott Charbo's willingness to make needed security fixes and his ability to head the agency's IT operations.

Charbo rebutted the charges, saying that much of the criticism was based on outdated data that ignored security improvements the agency has been making.

The attacks on Charbo came at a hearing held by a subcommittee of the Committee on Homeland Security. Committee Chairman Bennie Thompson said he had reviewed Charbo's responses to a series of security-related questions the subcommittee had sought clarifications on. Based on those responses, "I think the first thing that Mr Charbo needs to do is explain to us why he should keep his job. I've spent some time reviewing Mr Charbo's responses to our questions, and reviewing the numerous IG (Inspector General) and GAO audits of his work. I am not convinced that he's serious about fixing the vulnerabilities in our systems."

I'm confident that the DHS information security program is moving in the right direction

Scott Charbo - CIO, DHS

Thompson's criticism was echoed by James Langevin, chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology that held the hearing. In prepared testimony, Langevin expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency (FEMA).

The security issues highlighted by Langevin in his testimony included one in which a password dumping utility was found on two DHS servers, Trojans and other malicious programs were found on numerous agency servers and classified mail was found to have been sent out over insecure networks.

"Information provided by the DHS suggests that the CIO is failing to engage in defensive best practices that would limit penetrations into the DHS network," Langevin said. For example, the agency has so far failed to mandate two-factor authentication across its networks, does not perform ingress or egress filtering on its networks or perform audits to look for rogue tunnels, he said.

Langevin also expressed dismay at what he said was Charbo's unwillingness to invest needed resources to fix such issues. "The finances show that Mr Charbo and the department's leadership continue to under-invest in IT security," Langevin said.

Other committee members grilled Charbo on his awareness of previous computer intrusions at other federal agencies by Chinese hackers, and asked him why he had failed to solicit detailed information on the attacks from the US-CERT and intelligence agencies.

Adding fuel to the criticism was a [report] recently released by the US Government Accountability Office (GAO) saying that it had found pervasive and systemic security problems across the DHS during a one-year review.

Among the issues highlighted in the GAO report were a "material weakness" in the security controls over the DHS's financial systems, the absence of an effective agency-wide information security program and a failure to conduct comprehensive risk assessments. The GAO also highlighted the failure by the CBP to implement controls to prevent, limit and detect access to critical systems and information such as the system that contains information on the US-VISIT program.

Testifying at the hearing, Keith Rhodes, the GAO's chief technologist, said that after a certain point in its review his agency simply stopped looking for more vulnerabilities at the DHS and its component agencies because they were so pervasive. Even though many of the vulnerabilities discovered by the GAO were relatively minor configuration errors, the issues were still largely overlooked at the agency he said.

Charbo, however, maintained that the criticism was based on outdated data and did not account for several updates DHS has made. For instance, his agency has completed an inventory of its systems and has made significant progress in accrediting and certifying them to Federal Information Security Management Act (FISMA) standards, he said. The CBP has similarly updated its Novell network and Microsoft Active Directory software as part of an effort to bolster security in both environments, he said.

In many cases where the GAO had pointed to specific vulnerabilities it failed to take into account other compensating controls the DHS has implemented, he said. Similarly not all of the 800 security incidents reported by DHS during fiscal 2005 and 2006 involved actual system compromises in which data was lost, he said. For example, while the agency may have reported the discovery of a bot program on its networks that doesn't automatically mean the bot was transmitting data out of the agency's networks.

DHS is also in the midst of three key IT consolidation projects that will have a significant impact on security, Charbo said. The agency is collapsing all of its legacy wide area networks into a single network called OneNet, featuring IPSec-based encryption and authentication for improved security, Charbo said. As part of that move, the DHS has also implemented a security operations centre for managing OneNet security and for reporting incidents both within the agencies and outside, he said. By December, the DHS will have standardized on a single Target Enterprise Architecture that consolidates 13 different e-mail and directory systems into one system featuring better security, he said. The third consolidation initiative involves the melding of multiple data centres into a common shared infrastructure.

Charbo also defended his agency's spending in IT security, saying that it has been on par with industry standards. For 2007, the DHS will spend approximately $US332 million on security out of a total IT budget of $US4.9 billion. That figure is expected to rise to $US342 million out of a total requested IT budget of $US5.2 billion in fiscal year 2008, he said. As a percentage, the security budget might remain the same but the actual dollar amount being spent is increasing, Charbo said.

"I'm confident that the DHS information security program is moving in the right direction," he said in prepared testimony. "Although we still have a ways to go, we've made measurable improvements in the management of information security at the department."